Thursday, 14 January 2016

Is Workplace Privacy Dead? Comments on the Barbulescu judgment

Steve Peers

When can an employer read an
employee’s e-mails or texts, or track her use of the Internet? It’s an important question for both employers and
employees. A judgment this week in Barbulescu v Romania addressed the issue, but unfortunately has been greeted by
press headlines such as ‘EU court allows employers to read all employee e-mails’.
This is wrong on two counts: it’s not a judgment of an EU court, but of the separate
European Court of Human Rights; and the ruling does not allow employers to read
all employee e-mails without limitation.

So what exactly did the judgment decide? And would the
ruling have been any different if an EU court had decided it?

Background

The European Court of Human
Rights (ECtHR) has jurisdiction only to interpret the European Convention on
Human Rights (ECHR) and its protocols. The Barbulescu
case concerns the right to privacy under Article 8 ECHR, which can be limited
on certain grounds according to Article 8(2). It follows on from, and further
develops, previous rulings on similar issues.

In Halford v UK, a well-known case concerning a policewoman suing her
local force for sex discrimination, the ECtHR ruled that Article 8 was breached
when the police force intercepted calls from a separate work telephone which
they had provided for her to contact her lawyers. The key points of the judgment
were that Article 8 can apply to workplaces, depending on whether there was a ‘reasonable
expectation of privacy’. Ms. Halford had such an expectation since the police
force had made a particular point of providing her with a separate telephone
and assuring her that she could use it to discuss the litigation privately.

Obviously, situations like that
are rare. It’s far more common that an employee might use a computer or phone
provided by the employer in the ordinary course of work in order to have some
private communication. Yet Article 8 can also protect employees in those cases
too. In Copland v UK, the
ECtHR ruled that Article 8 was breached when an employee’s phone calls, e-mails
and Internet use from work were monitored by her boss. The crucial point was
that there was ‘no warning that her calls [or e-mail or Internet use] would be
liable to monitoring’.

The new judgment

How is Barbulescu different from Copland?
The answer is that the facts are quite different. In the newer case, the employer
had an absolute ban on employee’s use of work equipment for private reasons. Barbulescu’s
boss suspected that he was not complying with this policy, and informed him of
its suspicions, on the basis of monitoring his account. The employee denied non-compliance,
so the employer presented him with a transcript of his Yahoo Messenger
communications, which included personal communications. He sued his employer in
the Romanian courts and lost, so he brought his compliant to the ECtHR.

The Court ruled that the
complaint was admissible, but the majority rejected his Article 8 claim on the
merits. While Article 8 was applicable, his employer was simply trying to
enforce its absolute ban on private use of work equipment, and he had breached
his employment contract. The employer had only accessed the account to check
whether he was using it just for professional purposes, given that he had
claimed that he did not use it for private reasons. The use of the transcript
of his communications was limited, since the identity of the other parties to
the communication was not disclosed. Other documents stored on his computer
were not checked, and he did not have a convincing reason for using work equipment
for private purposes.

One dissenting judge argued in
detail that the majority was quite wrong on the merits, arguing for more
stringent control of employers’ monitoring of employees’ private Internet use
(primarily by means of detailed notification requirements). It should be noted
that Mr. Barbulescu can still ask the Grand Chamber of the ECtHR to review this
judgment, since it was issued by a Chamber of judges.

Impact

The Court is clearly not
overturning its prior case law: it distinguishes Halford and Copland, rather
than reversing them. So Barbulescu definitely
does not give employers carte
blanche to put their employees under surveillance. There remain – as there were
before this judgment – cases where such surveillance is justified, and cases
where it is not. The importance of Barbulescu
is some clarification on where the dividing line falls between those two
categories.

Legally speaking, that line is
determined by the degree of ‘reasonable expectation of privacy’ that employees
have at the workplace. They have such an expectation where the employer has
expressly allowed them to use a phone or computer for private purposes (Halford), or where it was tolerated (Copland). In this case, the crucial
difference is that the employer banned such use.

Moreover, the Court also mentions
other specific factors, as listed above: access to the communications followed
a denial by the employee; use of the transcript of the communications was limited;
other documents stored on the computer were not checked; and there was no convincing
reason for using work equipment for private purposes. The Court also emphasised
the fact that the employee brought an employment law claim, rather than a
criminal law or data protection law claim. Arguably, all of these factors are relevant
and must be considered in addition to the employer’s ban on private use of work
equipment.

In any event, the ruling is
questionable authority, for two reasons. First of all, it’s possible that the Grand
Chamber of the ECtHR will review it and overturn it. This would be richly
deserved because – with the greatest respect – it’s a very poorly reasoned
judgment. Secondly, it’s arguable that EU law sets higher standards. Let’s
examine these two points in turn.

Comments

What are the flaws in reasoning?
First of all, the majority in Barbulescu purport
to distinguish the prior judgment in Copland,
but in fact they contradict that previous ruling. They describe it as a case
where employee use of the employer’s Internet was ‘tolerated’. That’s true, but it’s not all. As can
be seen from the quote above, the crucial point of that judgment was that the
employee was not told about the employer’s
surveillance. That’s a crucial distinction because it’s not clear whether
the employee knew about the surveillance in this case (the point was disputed
between the parties, and the ECtHR decided not to address it). Of course, the
point has much broader relevance: there may be many other employers in Europe
which have a blanket ban on employee use of the Internet, but which have not
informed their employees about surveillance. Is that failure to inform crucial
(Copland), or (apparently) not (Barbulescu)?Or is it only crucial where the private use of employer equipment
is not banned?

Secondly, there are internal
contradictions in the reasoning. The Court places great stress on the fact that
the employer only subjected the employee to surveillance when he claimed that
his use of the messaging service was for work reasons only. So it had no reason
to expect to find personal data in those messages, when it checked them to see
if he was lying (para 57). That sounds reasonable. But in the presentation of
the facts (at para 7), the accusation that the employee was using work
equipment for personal reasons was based on placing him under surveillance. In
other words, he was put under surveillance first.
This isn’t a minor quibble, because it raises an important question of whether
employers which impose a general ban on the private use of work equipment have
a general prerogative to place their employees under surveillance, or whether there
must be some specific reason (such as the employee’s denial of an accusation to
that effect) to do so.

The Court also asserts that the
identities of other people were not disclosed in the transcripts of private
messages. But the judgment refers to the applicant’s brother and fiancée.
Anyone who knows him knows who they are. Indeed, if Barbulescu has a social
media presence, I could probably find out who they are myself – with a bit of
help from Google Translate. (I haven’t actually tried this).

Finally, the Court accepts that the
Article 8 right to privacy is affected, but (as the dissenting judge points
out) it doesn’t properly apply Article 8(2). This means that the Court doesn’t
identify what interests justify the breach of the right to privacy, whether the
breach was in accordance with the law, or whether it was proportionate and
necessary. While the employer interest in enforcing its policy on work
equipment should fall within the scope of ‘the rights and freedoms of others’
as a justification, it’s far from clear that the employer’s actions were clear and
foreseeable (part of the ‘in accordance with the law’ test) or proportionate.

EU law

As noted at the outset, the
judgment was issued by the European Court of Human Rights, not an ‘EU court’.
(I’ll be sending every journalist who got this wrong a batch of pork pies specially
seasoned by David Cameron). But there is a substantive
EU law element here, as briefly noted by the ECtHR. Data protection law is one
of the two main areas where EU law and human rights law frequently overlap (the
other area is asylum law).

There are several reasons to distinguish
between EU law and the ECHR. First of
all, EU law applies to 28 states, while the ECHR applies to 47. This distinction
is blurred a little in data protection law, since some non-EU states (Schengen
associates) have agreed to apply EU data protection law; that law also applies to
some companies based outside the EU (Google Spain); and non-EU countries are judged by the EU on whether their law
is ‘adequate’ from the EU’s perspective, meaning it has to be quite similar to
EU law (Schrems).

Secondly, the procedure and remedies
are different. EU law is usually developed by means of a national court pausing
its proceedings, asking the CJEU some questions and then reopening the case at
national level and applying the answers it gets. It can then apply the remedies
available in national law, which can sometimes be affected by EU law too (see Vidal-Hall and Benkharbouche). In this case, the
Romanian courts noted the EU law points, but decided against the applicants on
the merits without asking the CJEU questions. Arguably the final national court
should have sent questions to the CJEU, and its failure to do so is itself an
ECHR breach (see Daniel Sarmiento’s discussion here), but Mr. Barbulescu
didn’t raise that point. If he had won in the ECHR, the only remedies he could
get would be a declaration, costs and damages.

EU law can also be applied
against private parties, subject to the limited ability to apply it in the case
of Directives. That limitation will soon disappear when the upcoming data
protection Regulation comes into force. The ECHR cannot apply to private
parties as such, which is why this case had to be brought against the Romanian
state, not Barbulescu’s employer, although the ECtHR swept aside that
distinction by referring to the doctrine of positive obligations (ie the State
must ensure that human rights are protected in private relationships).

The biggest issue is whether
substantive EU law would give greater protection. While the ECtHR noted that this
case involved Mr. Barbulescu’s ‘personal data’ within the meaning of EU law, it
did not examine the EU legislation (the current data protection Directive)
further. The dissenting judge did so, taking into account also ‘soft law’ of
the EU’s ‘Article 29 working party’. This body of national data protection supervisors
frequently meets to adopt detailed policy statements taking a very assertive
view of how to interpret EU data protection law. Then they return home, and
fail to enforce the policies they agreed to.

Under the EU Directive, can his
employer justify collecting Barbulescu’s personal data? He did not consent to
the collection of that data, so the employer would either have to argue that it
was ‘necessary for the performance of a contract’, or for its ‘legitimate
interests’. In the latter case, those interests could be outweighed by his
rights. There’s no clear answer from this wording whether the CJEU would decide
this case the same way, interpreting the Directive: it’s arguable (as the
national courts held) that it was ‘necessary’ to monitor the employee’s
communications in order to enforce the rule against private use of
communications, or that the factors referred to by the ECtHR were enough to give
precedence to the employer’s interests over the worker’s rights. But the
overall pro-privacy tone of recent CJEU rulings on data protection (Digital Rights, Google Spain, Rynes, Schrems)
suggest that the CJEU would be more likely to rule that some prior notification
of surveillance was required.

Another issue is that some of the
data concerned the employee’s health and sex life. EU law prohibits processing this,
and other ‘sensitive’ personal data. But this prohibition is a legal fiction,
as in fact a number of grounds for processing sensitive data are permitted. In
practice, it’s more accurate to say that it’s harder to justify processing such
data. Applying that rule to this case, the Directive states that such data can
be processed if ‘necessary’ to carry out the employer’s obligations and rights ‘in
the specific field of employment law’, if that is ‘authorized by national law
providing for adequate safeguards’. It’s hard to know if these criteria were
met in this case. (These rules will not change much under the future
Regulation. There will be a new clause allowing Member States to have special
rules for employment issues, but there’s no specific mention of employer
surveillance).

Given that Romania is bound by
the EU Directive, should the ECtHR have looked further at the EU law issues? It’s
an awkward point, since the ECtHR doesn’t have jurisdiction as such to rule on
EU law. But interferences with the right to privacy must be ‘in accordance with
the law’. So there should at least have been a cursory examination of whether
the national law, and the national court’s interpretation of it, appeared to be
consistent with the relevant EU law. The ECtHR avoided doing this, because (very
unusually for a privacy case) it ignored the ‘in accordance with the law’ test
entirely.

Conclusion

Altogether, this judgment is not
the ECtHR’s finest hour. But it may not be the final word on this important
issue either. It remains to be seen whether the Grand Chamber might review this
case, or whether the CJEU or national courts, perhaps excited by the new
Regulation, might insist that higher standards apply in national law. For the
time being, though, employers should be aware that there is still a fine line
between acceptable and unacceptable monitoring of their employees.

6 comments:

That's a very nice and interesting analysis of the recent judgment. Thanks a lot. I would say it is still very hard for the ECtHR to rule on issues such as Data Protection and to maintain strict position. I think, CJEU (generally EU Law) is equipped with better and stronger tools (Article 8 of the Charter of Fundamental Rights, plus Regulation) to make the personal data protection framework more vlauable. I hope the Grand Chamber will have a different position and will take into account recent developments in Data Protection, not only inside the EU, but also outside it.

Great analis. However, I dont agree with you. It´s the same thing that happens in a relationship. Could you read your girlfriends mails in order to verify her fidelity? Probably not. It doesnt matter if i gave her the laptop. IT´S HER PRIVACY.

That raises different issues, and would possibly fall outside the scope of EU law (due to the 'household exception' to data protection law). But I don't think we disagree - I am being critical of the judgment.